topic Re: Trying to configure a 2801 to let in VPN client PC's in Network Security

Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Fri, 21 Feb 2020 11:06:44 GMT

Hey there,

I need to configure my router to let a couple PC's get into my LAN remotely so we can do remote main. I have Cisco VPN client software and a SEC image on my router.

I tried SDM to make VPN work but it screwed up my NAT entries and all my users lost internet access!! 😞

Please have a look at my config. If you can give me any hints on what my it should look like to allow a few clients past my nat?

This config works with voice and remote access.

I'll be using it as a marker before I implement

VPN.

sh run

Building configuration...

Current configuration : 2895 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname BD2801

boot-start-marker

boot system flash c2801-adventerprisek9-mz.124-17.bin

boot-end-marker

logging buffered 51200 warnings

aaa new-model

aaa session-id common

ip cef

voice-card 0

voice call carrier capacity active

voice rtp send-recv

voice dsp release early

voice service voip

fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco

fax interface-type fax-mail

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

interface FastEthernet0/1

description Starboard Stratos VSAT$FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

interface FastEthernet0/3/0

interface FastEthernet0/3/1

interface FastEthernet0/3/2

interface FastEthernet0/3/3

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Dialer0

no ip address

router eigrp 1

network 192.168.49.0

auto-summary

ip local pool vpn_pool_1 192.168.50.150 192.168.50.151

ip default-gateway 10.20.46.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.20.46.1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool MADNATPOOL overload

access-list 1 permit 192.168.0.0 0.0.255.255

control-plane

voice-port 0/2/0

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

voice-port 0/2/1

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

ccm-manager mgcp

mgcp

mgcp call-agent 10.129.48.11 service-type mgcp version 0.1

mgcp dtmf-relay voip codec all mode nse

mgcp codec g729r8 packetization-period 60

mgcp playout adaptive 100 50 200

mgcp playout fax 500

no mgcp timer receive-rtcp

mgcp timer net-cont-test 1000

mgcp timer nse-response t38 1000

mgcp sdp simple

no mgcp fax t38 ecm

mgcp fax t38 nsf 000000

mgcp profile default

dial-peer cor custom

dial-peer voice 1 pots

service mgcpapp

port 0/2/0

dial-peer voice 2 pots

service mgcpapp

port 0/2/1

gateway

timer receive-rtp 1200

call-manager-fallback

max-conferences 4 gain -6

ip source-address 10.20.46.20 port 2000

max-ephones 24

max-dn 24

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

end

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Wed, 19 Nov 2008 11:00:47 GMT

You have forgotten to include the VPN config?

follow the below config example:-

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml

If this is not specific or does not fit - the below link has all config examples for your platform:-

http://www.cisco.com/en/US/products/ps5854/prod_configuration_examples_list.html

HTH>

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 13:10:46 GMT

Thanks for the reply! Ok so now I have a working VPN scenario.

My VPN Client can now get to some areas of my inside network.

I need to make sure NAT lets me get to all of my internal lan that is behind the router.

Can anyone help me adjust my NAT?

inet--> 10.20.46.20(router)192.168.49.1-->168.192.49.2(L3 3560 switch)192.168.50.0

192.168.51.0

192.168.52.0

etc.

Here's the router config.

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.20.46.1 10.20.46.30

ip dhcp pool S_LAN

network 10.20.46.0 255.255.255.0

default-router 10.20.46.1

dns-server

ip domain name ocean-group.net

ip name-server

voice-card 0

voice call carrier capacity active

voice rtp send-recv

voice dsp release early

voice service voip

fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco

crypto pki trustpoint TP-self-signed-3884018817

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3884018817

revocation-check none

rsakeypair TP-self-signed-3884018817

crypto pki certificate chain TP-self-signed-3884018817

certificate self-signed 0D

quit

fax interface-type fax-mail

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Wed, 19 Nov 2008 13:23:37 GMT

why have you configured the VPN pool out of 10.x.x.x IP addresses?

I would use a 192.168.x.x address pool, then configure my nat something like

access-list 101 deny ip 192.168.x.x 0.0.255.255 192.168.x.x 0.0.0.255

access-list 101 permit 192.168.0.0 0.0.255.255

ip nat inside source list 101 pool MADNATPOOL overload

HTH?

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 13:56:04 GMT

Well actually my Public IP is something different than my outside router interface. My ISP dropped the VPN down on the 10.20.46.20. The good thing is that now I can get in. But I can't get full roam of all my vlans... although I can get all over one of them 192.168.50.0

I would like to terminate the vpn on an inside address but I'm afraid!

Will those entries you gave me affect any of my users leaving from my network?

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 14:03:55 GMT

Is it possible to create the vpn pool on a subnet that isn't on the router? If I could get my vpn sent in past the router outside int 10.20.46.20 past the inside int of 192.168.49.1 and to plop it down inside my L3 switch on the 192.168.50.0 network.

How can I help you help me? 🙂

I'm going grey over here.

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Wed, 19 Nov 2008 14:08:19 GMT

You can give the VPN pool and IP address of 192.168.254.0/24 - as long as the router, and the internal layer 3 routing device know that 192.168.254.0/24 is on the 2801 - no issues.

It's then a simple matter of routing!

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 14:28:15 GMT

I'm not sure how to get that address on the router only because I don't have any more interfaces I can use. I think I misunderstood.

Do I need to use a seperate subnet for the vpn clients or can I have them join an existing vlan the switch is routing?

I can post the switch config if you felt like looking at them.

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 14:36:32 GMT

I have the private network 192.168.49.0 and the only hosts on it are the router's internal int and the switch's (I'll call it) outside interface.

Could I plop the VPN users down into there with say a pool of 192.168.49.5 to 192.168.49.10?

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Wed, 19 Nov 2008 14:40:16 GMT

whoa - hold on mate.

You do not need to have a physical interface for VPN users. If you terminate the VPN on the outside interface (which is the norm) then you assign the VPN users an IP address from say 192.168.254.0/24 - the router KNOWS that this is a local pool.

The traffic from the VPN clients will enter the network with a 192.168.254.x address, from the routers inside interface. For this to work all you have to do, is make SURE the rest of your internal network knows that 192.168.254.0/24 lives on the router, just like a static route.

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 14:49:50 GMT

OK! 🙂 sorry about that.

So here's what I'm going to do.

Change

ip local pool SDM_POOL_1 10.20.46.200 10.20.46.220

ip local pool SDM_POOL_1 192.168.254.200 192.168.254.220

and that's it?

Whew! that sounds easy as pie!

Would the routing already be covered by

router eigrp 1

network 192.168.0.0?

Or do I need to put a static route of maybe

ip route 192.168.0.0 255.255.0.0 10.20.46.20

I'm kinda shooting in the dark right now. Sorry about my ignorance.

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Wed, 19 Nov 2008 16:01:22 GMT

Hey hey!

It worked. It's funny how less scary things are once you've seen them work once.

I'm able to now get to all the hosts I need to manage remotely.

Now I'm onto the next tasks. QoS 😞

I'll be trying to give the client full bandwidth when it connects to do the maint.

See you in the other forums.

You rock, Andrew!

Thanks a lot. I mean it.

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Thu, 20 Nov 2008 19:39:51 GMT

Crap!!!!

I thought everything worked until we found the voice stopped working.

Everytime I entered:

interface Loopback0

ip address 214.27.53.58 255.255.255.255

I could only talk in one direction! 😞

Is there any way around using this??? With only a couple more days. I'm really up against the wall now.

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.20.46.1 10.20.46.30

ip dhcp pool Stratos_LAN

network 10.20.46.0 255.255.255.0

default-router 10.20.46.1

dns-server 158.152.1.58 158.152.1.43

voice-card 0

voice call carrier capacity active

voice rtp send-recv

voice dsp release early

voice service voip

fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco

crypto pki trustpoint TP-self-signed-3884018817

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3884018817

revocation-check none

rsakeypair TP-self-signed-3884018817

crypto pki certificate chain TP-self-signed-3884018817

certificate self-signed 0D

3082023E 308201A7 A0030201 0202010D 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D

quit

fax interface-type fax-mail

username privilege 15

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Thu, 20 Nov 2008 19:47:45 GMT

Errrm why are you configuring a loopback on an internal virtual interface with an external IP address - that relates to voice?

The way around it is - do not configure the loopback interface?

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Thu, 20 Nov 2008 19:57:28 GMT

Oh man is it nice to see your reply.

I was just going to remove the loopback until I saw:

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

I don't really know how it ties together but it sounds important.

They originally landed my VPN on an outside interface. Then I moved it to that 192.168.254.o network like you suggested. It worked so I thought I was in the clear.

Can I remove all the related loopback stuff?

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Thu, 20 Nov 2008 20:03:15 GMT

Virtual-Templates are not my bag to be honest but a quick search on Cisco:-

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

As I read the above - to be honest as you are only using the VPN for remote client access, I would say you can remove the loopback interface config.

HTH>

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Thu, 20 Nov 2008 20:09:39 GMT

OK,

I'll give it a try. It really sucks that I'm on the yacht right now... the WAN link is so slow that it makes it hard for me to research much.

I'll just try to remove it and see what happens.

Thanks dude.

Re: Trying to configure a 2801 to let in VPN client PC's

andrew.prince — Thu, 20 Nov 2008 20:16:59 GMT

On a yacht huh!

Yeah I can see how that can be bad!!

Just remove the loopback interface, see what happens

Re: Trying to configure a 2801 to let in VPN client PC's

Deepseadata — Thu, 20 Nov 2008 22:53:22 GMT

I needed to get off the boat to come to a place where I could test remotely.

It timed out... I'm not sure if that's because of the lack of loopback or what.

So I wiped it out and now I may have opened up another can of worms with the crypto pki chain... it looks different now. I'm not sure if my client is expecting to use the previously generated key.

Time to read again... wow this is hard.